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PROCESS DEVICE WITH SUPERVISORY OVERLAYER 

BACKGROUND OF THE INVENTION 
The present invention relates to process 
devices of the type used to monitor or control 
5 operation of an industrial process. More 
specifically, the present invention relates to safety 
certification of such process devices. 

Process devices are used in industrial 
process control systems to monitor and/or control 

10 industrial processes. A control device is a process 
device which is used to control the process. Example 
control devices include pumps, valves, actuators, 
solenoids, motors, mixers, agitators, breakers, 
crushers, rollers, mills, ball millers, kneaders, 

15 filters, blenders, cyclones, centrifuges, towers, 
dryers, conveyors, separators, elevators, hoists, 
heaters, coolers, and other such equipment. A 
transmitter is a process device which is used to 
sense (or monitor) operation of the process, for 

20 example by monitoring a process variable such as 
temperature, pressure, flow, etc. The monitored 
process variable is transmitted so that it can be 
used by other equipment in the process, for example 
by a central control room. Another example process 

25 device is a process monitor or communicator which is 
used to monitor operation of the process, equipment 
used in the process such as process transmitters or 
process controllers, and control process devices, for 
example by programming or sending instructions to the 

3 0 device. 



-2- 

Typically, process devices have a fairly- 
robust design and are manufactured for long life with 
a low failure rate. The failure of a process device 
can have significant impact on the process and may 
5 require the process to be temporarily shut down while 
the device is repaired or replaced. However, there 
are some applications for process devices which 
require a level of performance which significantly 
surpasses the level provided by typical process 

10 devices. Such devices must meet a "safety 
certification process" or a "Safety Integrity Level" 
(SIL) certification. This certification provides a 
metric for configuring a process to meet a desired 
safety requirement. 

15 Safety integrity levels are a set of 

standards which provide metrics which can be used to 
measure the safety of a process. Safety integrity 
levels can provide information and provide a way of 
measuring expectations regarding whether a process 

20 can perform safely, and, in case of a failure, will 
the process fail in a safe manner. SIL ratings are 
related to a products reliability. For example, a 
product must be shown to "be available" to perform 
its designated task at some predetermined rate. This 

25 availability is related to the mean time between 
failures (MTBF) for the product as well as the mean 
time to repair (MTTR) , and the probability to fail on 
demand (PFD) . In general, the use of safety integrity 
levels is described in "Functional Safety and Safety 
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Integrity Levels" Applications Note Bently Nevada BN 
Part Number 149409-01 Revision A, April 2002. One 
technique which can be used to increase the safety 
integrity level certification for a device is to use 
5 components such as electrical or mechanical parts 
which are less likely to fail. Design procedures can 
also be used for example providing redundant systems 
to reduce failures. In addition to reducing failures, 
process devices can be used to detect a particular 

10 failure event and provide a desired response, such as 
a controlled shut down of the process. In general, 
designing a process device in order to meet such 
certification requirements is a difficult and time 
consuming process. 

15 SUMMARY 

An apparatus for use in a process device 
provides a desired Safety Integrity Level (SIL) for 
the process device. A device interface couples to the 
process device and provides an output related to 

20 operation of a component of the process device. A 
component monitor monitors operation of the component 
with the output from the device interface and 
identifies a safety event of the component. A safety 
response module responds to the safety event of the 

25 component in accordance with a desired response. 

BRIEF DESCRIPTION OF THE DRAWINGS 
Figure 1 is a diagram of an industrial 
process including a process transmitter coupled to 
process piping. 
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Figure 2 is a simplified block diagram 
showing a process device with a supervisory 
overlayer. 

Figure 3 is another simplified block 
5 diagram showing the process device of Figure 2 . 

Figure 4 is a block diagram of a process 
device including various examples of specific 
supervisory overlayer functionality. 

Figure 5 is a simplified diagram of various 
10 components of a supervisory overlayer in accordance 
with the present invention. 

DETAILED DESCRIPTION 
Many industrial processes are inherently 
hazardous. These processes typically use toxic, 
15 flammable or reactive materials, .and often at 
elevated temperatures and pressures. In the event of 
equipment malfunction or human error in these 
processes a catastrophic event may occur. Safety 
Instrumented Systems (SIS) are automation systems 
20 designed to prevent these events. Interest, 
particularly in the chemical, petrochemical, and 
refining industries, in these safety systems has 
increased over the last few years because of new 
international standards . 
25 A Safety Instrumented System may be defined 

as a system composed of sensors, logic solvers and 
final control elements designed for the purpose of: 
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- Automatically taking a process to a safe state when 
pre -determined conditions are violated. 

- Allowing a process to continue in a safe manner 
5 when specified conditions allow 

- Taking action to mitigate the consequences of an 
industrial hazard. 

Safety Instrumented Systems (SIS) are very 
10 similar to Basic Process Control Systems (BPCS) in 
that they both use similar components. The systems 
include all the elements from the sensor to the final 
control element connected to the process, including 
inputs, outputs, SIS user interfaces, power supply, 
15 and a logic solver. SIS components are usually 
separate and independent from the BPCS. Given the 
purpose of a SIS, additional design requirements must 
be met. The Basic Process Control System (BPCS) 
Alarms, and Safety Instrumented Systems (SIS) are all 
20 prevention layers. Remaining layers are mitigation 
layers . 

For example, a plant may have many layers of 
protection to protect personnel, equipment, and local 
communities from a catastrophic event . Some layers of 
25 protection are prevention layers and some layers are 
mitigation layers. A prevention layer is there to 
prevent the catastrophic event from happening. A 
mitigation layer is used to contain the event and 
reduce its cost after the event has occurred. The 
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Basic Process Control System (BPCS) , Alarms, and 
Safety Instrumented Systems are all prevention 
layers. Remaining layers are mitigation layers. 

To illustrate layers of protection, an example 
5 of a reaction in a vessel can be used. Given the 
right conditions, the reaction could "runaway" and 
without different layers of protection, the tank 
could explode and cause significant damage. 
Example Protection layers include: 
10 Layer 1: Basic process control system to control the 
temperature/pressure . 

Layer 2: An audible alarm to tell the operator to 
manually shut a valve to stop the reaction. 
Layer 3: An SIS to reduce the pressure before the 
15 tank ruptures. 

Example mitigation layers include: 

Layer 4 : A pressure relief valve to open before the 
tank ruptures. 

Layer 5 : The Plant Emergency Response team to make 
20 sure that the vapor released by the pressure relief 

valve does not cause further damage and to minimize 

contamination to the environment. 

The SIS layer is the final prevention 

layer. If there is a failure in the SIS, the hazard 
25 cannot be prevented, only the mitigation layers 

remain to limit the amount of resulting damage. It is 

important that the SIS layer provide enough 

protection to prevent significant damage or loss of 



life. The amount of protection required equates to 
risk management. 

Although all the elements and components must be 
considered when specifying a SIS, the three key 
5 components in the calculation include sensors, logic 
solvers and final control elements. 

Sensors measure pressure, temperature, flow, 
mass flow, level, flame detectors, pH or other 
parameters. They range from simple pneumatic or 

10 electrical switches to Smart transmitters with on- 
board diagnostics. SIS sensors can be the same as 
typical process sensors (under certain qualifying 
conditions) or can be sensors specifically designed 
for SIS applications. Sensors specially designed for 

15 SIS may have extra internal diagnostics and software 
allowing fault detection and controlled access to 
device setup and calibration. 

Safety standards do not prescribe any specific 
type or technology for sensors used in SIS 

20 applications. It is up to the designer of the system 
to determine an optimized/safe technology to meet the 
standard. 

However, standards do define the specific 
requirements the end user must follow when 
25 specifying, installing, and maintaining SIS sensors. 

The logic solver is typically a controller that 
reads signals from the sensors and executes 
preprogrammed actions to prevent a hazard. There are 
many similarities between a safety logic solver and a 



conventional Digital Control System (DCS) or 
Programmable Logic Controller (PLC) . They both 
perform logic functions and both have input and 
output capability from sensors and final control 
5 elements. The difference is that the SIS Logic Solver 
is designed to be fault tolerant, have internal 
redundancy, and designed to fail in a safe mode. They 
are designed with extra internal diagnostics and 
hardware and software that will allow it to detect 
10 faults. The safety logic solver also has added 
security to ensure against accidental configuration 
changes . 

Similar to sensors, standards do not dictate 
what type of Logic Solver to use, only the 

15 requirements for its application. 

Final Control Elements represent the final stage 
in implementing a safety shutdown. This is the 
component that acts to bring about the safe state. 
These elements include solenoid valves, ON/OFF 

20 valves, and motor starters. The most common are 
solenoid valves which provide air to a diaphragm or 
the piston actuator of a process shutdown valve. 
Valve suppliers have recently released smart 
positioners expressly designed for SIS applications. 

25 Similar to sensors, SIS final control elements can be 
the same as typical process final control elements 
under certain qualifying conditions or they can be 
specifically designed for SIS applications. These 
specially designed final control elements have extra 
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internal diagnostics and software enabling fault 
detection. 

Again, similar to sensors, standards do not 
prescribe any specific technology for final control 
5 elements used in SIS applications. It is up to the 
designer of the system to determine an optimized/safe 
technology. The standard only states the requirements 
the end user must follow. 

There is a similar theme in the three 

10 components of a SIS. That theme is diagnostics. A SIS 
is designed to detect a process upset and bring the 
process back to a safe state. It is imperative that 
the operator be made aware of any SIS fault and be 
able to respond to it. 

15 As discussed above, process devices which 

are used to measure, monitor and control industrial 
processes, are typically designed to a very high 
level of reliability. However, there are some 
instances in which process devices must meet further 

20 operational requirements. For example in a Safety 
Instrumented System, the process device may be 
required to meet certain Safety Integrity Level (SIL) 
certifications. Example regulatory standards include 
IEC 61511, IEC 61508 and ISA SP 84.01. These 

25 standards require complex development processes, 
rigid control over changes in the components, and 
significant validation and verification activities. 
Compliance with these standards often requires extra 
design time and adds a level of uncertainty to the 



overall development cycle for new process devices. 
Further, once a device is certified, any change to 
the device must be analyzed and the device 
recertified, if necessary. 
5 One of the primary elements of obtaining a 

Safety Integrity Level (SIL) certification is an 
analysis to determine the Safe Failure Fraction (SFF) 
of the device. SFF analysis is performed using a 
Failure Modes, Effects and Diagnostics Analysis 

10 (FMEDA) on the device to determine how the device 
behaves during various hardware and software fault 
conditions for all of the components in the device. 
This test attempts to determine the total number of 
potentially dangerous device failures and the 

15 percentage of those failures which are prevented from 
incorrectly altering the output of the device. In a 
specific example, to achieve a SIL2 certification, 
the FMEDA must indicate an SFF of at least 90%. 

The present invention provides a 

20 supervisory overlayer for using with or in a process 
device. The supervisory overlayer monitors operation 
of the process device and is used to prevent, 
mitigate and/or detect failure of component (s) or 
other aspects of the device, including the 

25 supervisory overlayer itself. The present invention 
is applicable to Safety Instrumented Systems as well 
as Basic Process Control Systems. 

In general, the present invention is 
applicable to any process device including 
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measurement (sensor) , control and host (logic solver) 
devices. A "supervisory wrapper" is placed around a 
device, or portions of a device, and provides an 
improved safety integrity level. This allows the 
5 creation of a safety certified device that includes 
non-certified components or devices. In one 
embodiment, a non-certified device can be upgraded, 
for example while in the field, into a certified 
device through a software upgrade. In a second 

10 embodiment, a non-certified device can be upgraded, 
for example while in the field through an electronics 
upgrade. In addition to its use with SIS, this 
"supervisory wrapper" can be used to provide improved 
capability for the device such as advanced 

15 diagnostics. The present invention uses various 
techniques to improve the safety integrity level for 
a device. For example, the "supervisory overlayer" 
provided by the invention can identify a component 
that may fail, or is in the process of failing prior 

20 to its ultimate failure such that the component can 
be replaced without triggering an unsafe condition, 
in another example, the invention can compensate for 
a component that has failed, or is in the process of 
failing such that an unsafe condition does not occur. 

25 In another example, the invention can provide an 
output which indicates that an unsafe condition has 
occurred, or is about to occur such that appropriate 
steps can be taken. When used with an SIS device, the 



-12- 

invention can provide an indication that the device's 
monitoring or response capability has or may fail. 

Figure 1 is a diagram of process 
control system 10 which includes a transmitter 12 
5 connected to process pipe 16. System 10 can be a 
basic process control system or can be a safety 
instrumented system. As discussed below, transmitter 
12 is one type of process device and the present 
invention is applicable to any process device. 

10 Transmitter 12 is coupled to a two-wire 

process control loop which operates in accordance 
with a communication protocol such as Fieldbus, 
Profibus or HART® standard. Currently, SIS systems 
are only approved with two-wire 4-20 mA loops. 

15 However, the invention is not limited to these 
standards or a two-wire configuration. Two-wire 
process control loop 18 runs between transmitter 12 
and the control room 20. In an embodiment in which 
loop 18 operates in accordance with the HART® 

20 protocol, loop 18 carries a current I which is 
representative of a sensed process variable. 
Additionally, the HART® protocol allows a digital 
signal to be superimposed on the current through loop 
18 such that digital information can be sent to or 

25 received from transmitter 12. When operating in 
accordance with the Fieldbus standard, loop 18 
carries a digital signal and can be coupled to 
multiple field devices such as other transmitters. 
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The present invention is applicable to any 
process device which is used in a process control 
environment. In general, process devices, such as 
transmitter 12 shown in Figure 1 are used to monitor 
5 or control process variables. Process variables are 
typically the primary variables which are being 
controlled in a process. As used herein, process 
variable means any variable which describes the 
condition of the process such as, for example, 

10 pressure, flow, temperature, product level, pH, 
turbidity, vibration, position, motor current, any 
other characteristic of the process, etc. Control 
signal means any signal (other than a process 
variable) which is used to control the process. For 

15 example, control signal means a desired process 
variable value (i.e. a setpoint) such as a desired 
temperature, pressure, flow, product level, pH or 
turbidity, etc., which is adjusted by a controller or 
used to control the process. Additionally, a control 

20 signal may include calibration values, alarms, alarm 
conditions, the signal which is provided to a control 
element such as a valve position signal which is 
provided to a valve actuator, an energy level which 
is provided to a heating element, a solenoid on/off 

25 signal, etc., or any other signal which relates to 
control of the process. In the context of SIS, the 
control signal can be a signal which safely shuts 
down a process. A diagnostic signal as used herein 
includes information related to operation of devices 
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and elements in the process control loop, but does 
not include process variables or control signals. For 
example, diagnostic signals may include valve stem 
position, applied torque or force, actuator pressure, 
5 pressure of a pressurized gas used to actuate a 
valve, electrical voltage, current, power, 
resistance, capacitance, inductance, device 

temperature, stiction, friction, full on and off 
positions, travel, frequency, amplitude, spectrum and 

10 spectral components, stiffness, electric or magnetic 
field strength, duration, intensity, motion, electric 
motor back emf, motor current, loop related 
parameters (such as control loop resistance, voltage, 
or current) , or any other parameter (other than 

15 process variables) which may be detected or measured 
in the system. Furthermore, process signal means any 
signal which is related to the process or element in 
the process such as, for example, a process variable, 
a control signal or a diagnostic signal. Process 

20 devices include any device which forms part of, or 
couples to, a process control loop and is used in the 
control or monitoring of a process. 

As discussed above, Figure 1 is a diagram 
showing an example of a process control system 10 

25 which includes process piping 16 which carries a 
process fluid and two wire process control loop 18 
carrying loop current I. A transmitter 12, 

controller 22, which couples to a final control 
element in the loop such as an actuator, valve, a 
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pump, motor or solenoid, communicator 26, and control 
room 20 are all part of process control loop 18. It 
is understood that loop 18 is shown in one 
configuration and any appropriate process control 
5 loop may be used such as a 4-20 mA loop, 2, 3 or 4 
wire loop, mult i -drop loop and a loop operating in 
accordance with the HART®, Fieldbus or other digital 
or analog communication protocol. In operation, 
transmitter 12 senses a process variable such as flow 

10 using sensor 21 and transmits the sensed process 
variable over loop 18. The process variable may be 
received by controller/valve actuator 22, 
communicator 26 and/or control room equipment 20. 
Controller 22 is shown coupled to valve 24 and is 

15 capable of controlling the process by adjusting valve 
24 thereby changing the flow in pipe 16. Controller 
22 receives a control signals over loop 18 from, for 
example, control room 20, transmitter 12 or 
communicator 26 and responsively adjusts valve 24. 

20 In another embodiment, controller 22 internally 
generates the control signal based upon process 
signals received over loop 18. Communicator 26 may 
be the portable communicator shown in Figure 1 or may 
be a permanently mounted process unit which monitors 

25 the process and performs computations. Process 
devices include, for example, transmitter 12 (such as 
a 3051S transmitter available from Rosemount Inc.), 
controller 22, communicator 26 and control room 20 
shown in Figure 1 . Another type of process device is 
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a PC, programmable logic unit (PLC) or other computer 
coupled to the loop using appropriate I/O circuitry 
to allow monitoring, managing, and/or transmitting on 
the loop. 

5 Any of the process devices 12, 20, 22 or 26 

shown in Figure 1 may include a supervisory overlayer 
capability in accordance with the present invention. 

Figure 2 is a simplified block diagram of a 
process device 100 in accordance with one embodiment 

10 of the present invention. Process device 100 includes 
process circuitry and components 102 which allow the 
device 100 to interact with the industrial process. 
Such interaction can include monitoring or 
controlling process variables for use in a basic 

15 process control system or a safety instrumented 
system. In accordance with the present invention, 
process device 100 includes a supervisory overlayer 
104 which couples to process circuitry and components 
102. Optional additional sensor (s) 106 can also 

20 couple to supervisory overlayer 104 and be used to 
monitor operation of components in process device 
100. 

During operation, circuitry and components 
102 of process device 100 operate generally in 
25 accordance with standard process device components. 
For example, the process device circuitry and 
components 102 may sense a process variable for use 
by the process device 100 or for transmission over 
the two-wire process control loop 18, or may generate 
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an output which is used to control operation of the 
process, for example by controlling a valve. If 
supervisory overlayer 104 detects the occurrence of a 
component failure, an impending component failure, or 
5 the possibility that a component might fail, 
supervisory overlayer 104 controls the process device 
100 in order to take steps appropriate with the 
desired safety integrity level certification. For 
example, supervisory overlayer 104 can compensate for 

10 measurement errors if the amount of the error can be 
accurately determined or approximated. Alternatively, 
or in addition to, supervisory overlayer 104 can take 
steps to shut down the process device 100 and/or send 
a message to external components, for example through 

15 process control loop 18, indicating the fault or 
failure that has been sensed or predicted by 
supervisory overlayer 104. 

Figure 3 is a simplified diagram of a 
process device showing another view of the 

20 supervisory overlayer 104. In Figure 3, process 
device 100 is shown as including a process interface 
120, device circuitry 122 and input/output circuitry 
124. The process interface 120 can be any mechanical 
and/or electrical circuitry which is used to couple 

25 the process device 100 to the industrial process. For 
example, the process interface can comprise a sensor 
such as a pressure sensor, flow sensor, temperature 
sensor, etc. used to sense process variables of the 
process . Other types of sensors are used to sense 
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operation of the process device, for example current 
sensors, voltage sensors, etc. Similarly, process 
interface 120 can comprise an output stage which 
couples to a control element, for example an output 
5 stage which provides a signal to a valve controller 
which controls operation of the valve, or can include 
the final control element itself. The process 
interface can comprise any interface with a component 
of the device, and can include a connection used for 

10 other purposes by the device. For example, a 
connection to a databus by a microprocessor can 
provide a device interface. The device circuitry 122 
in general comprises the electrical circuitry within 
device 100 which is used to perform the various 

15 functions of device 100. For example, the circuitry 
can be used for measurement or control of the 
industrial process. The input/output interface 124 is 
used to couple the process device 100 to an external 
component of the process control system. In the 

20 example shown in Figure 3, the input/output circuitry 
124 couples to a two-wire process control loop 18. 
Circuitry 124 can be used to send information over 
loop 18 or receive information from loop 18. In some 
embodiments, circuitry 124 includes the ability to 

25 power all of the circuitry within device 100 with 
power received over process control loop 18. The 
supervisory overlayer 104 may couple to one or more 
of the circuits 120, 122 or 124 as desired. The 
supervisory overlayer 104 can be implemented in 
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software in a microprocessor, along with any required 
sensors or circuitry. The microprocessor can be a 
general microprocessor used to operate process device 
100 or a separate microprocessor to execute the 
5 supervisory overlayer function. Some or all of the 
components which implement supervisory overlayer 104 
can be shared with other circuitry within process 
device 100. 

Figure 4 is a block diagram of a process 

10 device 200 which includes a specific implementation 
of the supervisory overlayer 104 shown in Figures 2 
and 3. In the embodiment of Figure 4, the supervisory 
overlayer is implemented through multiple components 
in device 200. Process device 200 is configured as a 

15 transmitter and includes a sensor module 2 02 which is 
configured to couple to the industrial process and 
measure a process variable. In accordance with known 
techniques, device 2 00 provides an output on loop 18 
which is related to one or more process variables 

20 sensed by a sensor in sensor module 202 which couples 
to a feature module 203. Device 200 includes a 
microprocessor and memory 204 which couples to sensor 
module 202 through a data bus provided by data bus 
processor 206 and physical layer 208. Communication 

25 over process control loop 18 to and from the 
microprocessor 204 is provided using loop control 
circuitry 220 and communication circuitry 222. In 
accordance with techniques known in the art, 
communication is effected using analog and/or digital 
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protocols. A loop feedback circuit 224 is used to 
monitor current through the loop 18 and provides 
feedback to communication circuitry 222. Loop 
override circuitry 226 is configured to override loop 
5 control circuitry 220 and set the loop current to a 
predefined level. In the embodiment shown in Figure 
4, power from the loop 18 is also used to completely 
power the process device 200. A linear preregulator 
24 0 provides a preregulated voltage to voltage 
10 regulator circuitry 242. Voltage regulator circuitry 
242 provides supply voltages +VSS and +VSS 1 to 
circuitry within process device 200. A separate power 
control module 256 provides power to the sensor 
module 202. 

15 Microprocessor 204 is connected to windowed 

watch dog circuitry 250. The circuit 250 resets 
microprocessor 204 if microprocessor 204 does not 
provide periodic inputs to circuit 250. A voltage 
drop across a resistor 254 is measured by analog to 

20 digital (A/D) converter 256 which provides an output 
to microprocessor 204. The voltage drop across 
resistor 254 is related to the current flowing 
through loop 18. Microprocessor 204 also couples to a 
loop override circuit 226. In some embodiments, 

25 sensor module 202 also couples to a display 270 such 
that information can be locally displayed by process 
device 2 00. 

Device 200 implements a number of different 
supervisory overlayer functions. The supervisory 
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overlayer can be provided as a modular attachment for 
example by updating software in the memory of 
controller 204, or retrofit to existing process 
control devices. 
5 One supervisory overlayer function may 

include monitoring the stream of process measurement 
data provided by sensor module 2 02. The process 
variables are carried on data bus 282 and 284. 
However, in addition to monitoring the process 

10 variable stream, the supervisory overlayer 
functionality can monitor other activity on data bus 
282 and 284 and provide a desired alarm output. If 
the sensor module 202 stops providing process 
variable updates, programming instructions within 

15 microprocessor 204 identifies a safety event. Upon 
detection of a loss of data, the response of the 
microprocessor 204 can be configured as desired. For 
example, the microprocessor can provide a local alarm 
signal or can transmit an alarm signal on process 

20 control loop 18. If partial data loss is detected, in 
addition to providing an alarm signal, the 
microprocessor 204 can also attempt to interpolate 
between data points to provide limited functionality 
during the failure. 

25 In another example of the supervisory 

overlayer, the data stream provided to the display 
270 is monitored. If loss of the data stream is 
detected by microprocessor 204, the process device 
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200 can enter a selected alarm state, for example by 
transmitting an alarm over loop 18. 

In another embodiment of the supervisory 
overlayer, the power control circuitry 256 monitors 
5 and controls power provided to the sensor module 202. 
For example, if the current drawn by the sensor 
module 202 exceeds a threshold, the power control 
circuit 256 can limit the current to the sensor 
module, or completely disconnect the sensor module if 

10 desired. Additionally, an alarm output can be 
provided. This allows the process device 2 00 to 
continue with limited functionality even though the 
sensor module 202 is failing without allowing the 
failure of sensor module 202 to cause complete 

15 failure of the entire device. 

In another example embodiment of this 
supervisory overlayer, the current level to which the 
loop 18 is set is measured by the A/D 256 and 
provided to the microprocessor block 204. If the 

20 microprocessor detects that the loop current is 
different than the value to which the loop control 
circuitry 220 has set the current, the microprocessor 
204 can provide an alarm output. If desired, the 
microprocessor 2 04 can temporarily recalibrate the 

25 loop control circuitry 220 such that the loop current 
I is set to the desired level. Similarly, in some 
embodiments the microprocessor 204 can activate loop 
override circuitry 226 which overrides operation of 
loop current control circuitry 220 and causes the 
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loop current I to be driven to a predetermined level . 
The predetermined level can comprise, for example, an 
alarm level. 

In yet another example implementation of 
5 the supervisory over layer, a windowed watch dog 
circuit 250 monitors operation of microprocessor 204. 
During normal operation, the microprocessor 204 is 
configured to regularly send a signal to the watch 
dog circuitry 250. If the watch dog circuitry 250 

10 either receives a signal from microprocessor 204 too 
frequently or too slowly, the watch dog circuitry 250 
can cause the device 200 to provide a desired alarm, 
for example an alarm signal on loop 18 using loop 
override circuitry 226. 

15 In another example, operation of the memory 

of microprocessor and memory block 2 04 is monitored. 
For example, memory can include a checksum bit or 
other error detection mechanism. If the error 
detection mechanism indicates that the data stored in 

20 the memory is in error, the microprocessor can 
provide a desired response, such as initiating an 
alarm condition. The memory can be either volatile or 
non- volatile memory. 

Figure 5 is a simplified block diagram of 

25 supervisory overlayer 104. As illustrated in the 
above examples, the supervisory overlayer can detect 
various types of failures or impending failures. The 
above examples are for illustration purposes only. In 
general, the supervisory overlayer includes some type 
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of device interface 310 which couples to a component 
or components of the process device. This can be a 
physical coupling, or can be an electrical coupling 
or other coupling such that data or other signals are 
5 monitored. The device interface 310 provides an 
output 312 related to operation of a component or 
components of the process device. The output 312 is 
received by a component monitor 314 which monitors 
operation of the component or components based upon 

10 the output 312. The component monitor is configured 
to identify a safety event in the component and 
provide an output 316 to a safety response module 
318. A safety event can be a prediction or indication 
of a future failure or the detection of a failure 

15 such as those discussed herein, or can be defined in 
accordance with a particular safety standard or 
requirement. The safety response module 318 provides 
a safety response 320 in accordance with a desired 
safety standard. The particular implementation of 

20 device interface 310, component monitor 314, and 
safety response module 318 can vary widely based upon 
the implementation and may include both hardware and 
software components. Further, the various blocks 
illustrated in Figure 5 can exist in components which 

25 already exist in a process device or can share 
components among each other or among other 
components . 

In some embodiments, the supervisory 
overlayer of the present invention is adapted to be 
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retrofit to an existing device. The retrofit can be 
performed during or after manufacturer. For example, 
the supervisory overlayer can be embodied in a 
feature module or board 2 03 for coupling to an 
5 existing sensor module 202 such as shown in Figure 4. 
In another example embodiment, the supervisory 
overlayer can be provided through a software update. 
The software update can be performed in the field, or 
remotely and transmitted over a communication bus 

10 such as a two wire process control loop. Preferably, 
the software and circuitry associated with the 
supervisory overlayer is completely isolated from 
other components in the device. This provides 
additional redundancy. The supervisory overlayer can 

15 monitor more than one device, and is not limited to 
monitoring the device in which it is implemented. 
Similarly, the supervisory overlayer can operate 
across multiple (distributed) devices such that 
functions are performed between multiple devices and 

20 information communicated between them. The 
supervisory overlayer can be implemented in a device 
which is part of the basic process control loop, or 
can be implemented in a device which implements a 
safety instrumented system. In one aspect, the 

25 supervisory overlayer provides information related to 
the availability of a particular device or component 
and allows the device or component to be taken out of 
the loop, in a predetermined manner upon detection of 
an unavailability or of pending unavailability. 
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Al though the present invention has been 
described with reference to preferred embodiments, 
workers skilled in the art will recognize that 
changes may be made in form and detail without 
5 departing from the spirit and scope of the invention. 
The examples specifically set forth herein are just 
for illustrative purposes only. The supervisory 
overlayer can detect other failures or conditions and 
provide a controlled response such as shutting down 

10 the process device and/or sending an alarm signal. By 
using the present invention, standard components used 
in process devices can be monitored such that the 
process device meets safety standards, such as those 
required in certain certification procedures, which 

15 the individual components and process device could 
not otherwise achieve. In general, the supervisory 
overlayer includes some type of device interface 
which couples to the process device and provides an 
output related to operation of a component or 

20 components of the device. Some type of component 
monitor monitors operation of the component based 
upon the output from the device interface. A safety 
failure of the component is identified by the 
component monitor and a safety response module 

25 provides a desired safety response in accordance with 
the safety failure. The supervisory overlayer, device 
interface, component monitor and safety response 
module can be implemented in software and/or 
hardware. The supervisory overlay can monitor a 



-27- 



plurality of process devices including devices which 
are distributed across a control system. The 
supervisory overlayer can be implemented in a device 
which is completely powered with power from a two wire 
5 process control loop, or can receive power from another 
source . 



